What Should We Do with the Spanish Organic Law on the Protection of Personal Data? Maria Del Mar Pérez Velasco Professor Of

What should we do with the Spanish Organic Law on the Protection of Personal Data?

Maria del Mar Pérez Velasco Professor of Constitutional Law Universitat de Barcelona

The European General Data Protection Regulation (GDPR) will introduce a particularly new point as regards our sources of law. For the first time, the regulation of the exercise of a fundamental right (for which an organic law is needed pursuant to the Spanish Constitution) will be laid down in an EU Regulation – which, according to its nature, is excluded from the national control of constitutionality.

As of 25 May 2018, the whole GDPR will be mandatory and directly applicable in all EU Member States, and will thus exclude the current Organic Law 15/1999, of 13 December, on the Protection of Personal Data (LOPD) and its implementing regulation (Royal Decree 1720/2007, of 21 December). It must be noted that, pursuant to Article 288 of the Treaty on the Functioning of the European Union, EU regulations have general application, are binding in their entirety and are directly applicable in all Member States, which means that they do not require any law introducing them into the national legislation or publishing them in order to take full effect.

The GDPR –its full name being Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (published in the Official Journal of the EU, L119, on 4 May 2016)– is based on Article 8.1 of the Charter of Fundamental Rights of the European Union and on Article 16.1 of the Treaty on the Functioning of the European Union. It was adopted after a long and complex process that deserves itself a specific analysis. The Regulation introduces a new model for the protection of personal data based on the responsible use of information and leaves behind the approach taken by the repealed Directive, which focused on data management. Aware that we are living in a “law-saturated society”, as pointed out by Stefano Rodotà, the relative simplicity of the GDPR makes it a new global standard in the digital sphere.

The GDPR will exclude the current national laws overlapping with its scope of application. This means that current laws cannot regulate matters that are regulated by the GDPR, and this also applies to future national laws.

Nevertheless, this exclusion effect must be qualified. Firstly, the GDPR material scope of application is limited to those activities falling within the scope of EU law. It expressly excludes data processing related to the common foreign and security policy, and to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Broadly speaking, these exclusions coincide with those laid down by the repealed Directive and the LOPD.

These fields are conditional upon the new EU regulations. For example, upon two Directives that are shaping the new common regulatory space: the Directive (EU) 2016/680, of 27 April, on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, and the Directive 2016/681, of 27 April, on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

Secondly, in those cases listed in Recital 10 the GDPR allows Member States to maintain or introduce national provisions to further specify the application of the rules of this Regulation. It also provides a margin of manoeuvre for Member States to specify its rules. To that extent, this Regulation does not exclude Member State laws that set out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

In any case, this room for manoeuvre given to the Member States does not authorize putting the Regulation on the same level as a directive. For this reason, adapting the national legislation to this Regulation remains problematic. In this sense, on 7 February 2017 the Spanish Ministry of Justice submitted to public consultation several legislative options aiming to “cleanse the legal system” by eliminating those national laws that are incompatible with EU law and, when appropriate, adopting additional laws necessary for the completely effective application of the Regulation. Additionally, the Order of 2 November 2016 set up a work group within the Third Section of the General Codification Commission targeted at adapting the Spanish legislation to the GDPR. This work group was supposed to submit a proposal on 1 May 2017, which we are unaware of at the time of writing this post.

To summarize, the period of enforceability of the LOPD seems to be coming to an end. This will break with the monopoly of the Parliament in the field of human rights regulation, which might in turn determine the legal and constitutional protection system as regards the fundamental right to the protection of personal data.